Webroot are a leading Threat Intelligence company. If you want to get a timely idea of what’s going on in Malware, their blog is an excellent place to start. Recently they got it wrong, when analysing the Target store malware, and instead of attempting a PR offensive, simply apologised. I think this is cool.
The thing is, if you are brave enough to opine on the ever-changing world of IT threats, you would have to be super-human to not make a mistake. A company like Webroot is built on the premise that they get information to their customers fast – almost before customers know they need it. In fact, in an ideal world, the first warning you get of a malware outbreak would be from your threat intelligence company. Sounds simple enough right? But all the infiltration into hacker undergrounds and buying beers at 2600 meetings will not get much traction into serious, organised, monetised cybercrime. [Note: Alec Muffett is convinced that "cyber" is a null word. There ain't no cybercrime, just crime. He's probably right.]
One of the interesting things about Information Security (and yes, although there ain’t no such thing, there is a whole bucket load of people doing it for a day job) are the infinite variety of opinions. Javvad Malik commented on Facebook about the death of expertise, and how for any tall poppy, there are plenty of gnomes eager to knock them down, convinced that their opinion is as good as anyone else, and the world deserves to hear them. A friend of mine commented:
Don’t worry, I’m an expert too, it says so in the Daily Mail Although getting back to the security industry, I wonder if the reason people are reluctant to identify themselves as experts is due to higher than average levels on the Autism Spectrum? That’s just a theory obviously, no idea if ASQ levels are higher in IT Sec. Specifically, while high intelligence can be a factor, I read that self doubt generally prevents arrogance in relation to their intelligence. Just a theory as well. I know next to nothing on the subject currently, but find it interesting.
My view (since you read this far) are that opinions are like bottoms. We all have them, some smell funny, and it’s rarely considered polite to expose them in public. When I’ve done work as an expert in court, I’ve made painstakingly sure of my facts, and been careful not to overstep the bounds of my competency. Nevertheless, I’ve had lawyers make me unsure of whether it’s still me in my suit.
So, if you are in a position where you are asked to be an expert, (for example presenting to your boss, a customer, or a group of drunken hackers), here are my tips:
- Be sure of your facts. As sure as you can be. Be aware of the limits of your knowledge, and prepared to expand them.
- Ask colleagues, friends, people you met in a conference. Ask the people you are presenting to.
- When you get it wrong, apologise. Correct. Learn. Move on.
And if you have someone who is willing to share knowledge, try not to act like its a pinata party, complete with whack-a-mole. People will remember your humility more than they will your arrogance. (Saying “I have this great 0-day flaw for WebSphere that would make everyone in the world PCI non-compliant!” is great. Being able to paint a little picture of a house is great, too. What are you doing with it?)
And if all this makes you smirk, that’s good too. You stay classy.